News

Complying with new GDPR laws for data protection in your business

Since the UK Data Protection Act was first passed in 1998, our daily lives have been transformed by technological developments.

Collecting and processing data underpins almost every aspect of business, and requires new laws to ensure the citizen retains control over his or her data.

The GDPR (General Data Protection Regulation) is a new EU regulation which aims to give citizens back control of their personal data.

It also seeks to simplify the regulatory environment for international business by harmonising the regulation that already exists for countries within the EU.

It’s definitely happening

Since Britain historically voted to leave the European Union in June 2015, there has been uncertainty over which EU laws will still apply to the UK.

The government has since confirmed that the UK’s decision to leave the EU will not affect commencement of the GDPR. Businesses will still have to comply.

The regulation was adopted on 27 April 2016. It becomes fully enforceable on 25 May 2018 after a two-year transition period, and all UK businesses must be compliant by then.

GDPR essentials

There are some new laws coming into effect, and also a tightening of older regulations. Changes around consent are particularly noticeable.

Individuals will have new and more detailed rights over their own data. A person now has the right to request their own erasure. They can request their data be removed under specific circumstances. And, whereas companies could once freely auto-enrol people into receiving communications if they failed to opt out, explicit consent is now required.

Companies are required to clearly set out their terms and conditions in language that is easy to understand. Privacy settings must be set at a high level by default, and ‘legalese’ has been banned.

If there has been a data breach, companies are obliged to notify individuals affected within a set time period.

A new feature that will impact many companies is ‘Privacy by Design and by Default’. This requires data protection to be incorporated into business processes and the development of products and services from the beginning. It’s no longer sufficient to consider privacy as an afterthought.

Consequences of non-compliance

Companies will need to become compliant with the regulations by 25 May 2018. The penalties for non-compliance will be far more serious than that which the UK currently has in place.

Heavy fines will be imposed upon companies who breach the law, totalling up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is greater.

Businesses must not underestimate the changes they will have to make to comply with the new regulations. They should not wait until May 2018 to get their houses in order.

Hiring a GDPR specialist

The GDPR requires certain companies to nominate a data protection officer (DPO) under particular circumstances. For example, if they process a significant quantity of sensitive data, such as health, genetic or biometric data.

Many companies are choosing to hire GDPR specialists to help them become compliant with new regulations and avoid hefty fines.

Even if your company isn’t obligated to nominate a DPO, it could be a good idea to nominate an internal member of staff to be responsible for ensuring compliance with the GDPR.

This will help to focus your implementation efforts and drive accountability.

Final notes

Don’t leave it until the last minute to become compliant. It’s a lot to deal with, and if you don’t have the existing staff you need to become GDPR compliant, we recommend hiring a specialist.

If you are keen to discuss in more detail, please do get in touch for a consultation.